A bug report submitted on Open Radar this week reveals a major security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.
MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps:
• Click on System Preferences .
• Click on App Store .
• Click on the padlock icon to lock it if necessary.
• Click on the padlock icon again.
• Enter your username and any password .
• Click Unlock .
As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account.
We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.
MacRumors is also unable to reproduce the issue on macOS Sierra version 10.12.6, suggesting the issue affects macOS High Sierra only.
The implications of this security vulnerability are rather serious. Anyone with physical or remote access to your Mac could unlock the App Store preferences and enable or disable settings to automatically install macOS updates, app updates, system data files, and, ironically, even security updates.
This is the second major password-related bug to affect macOS High Sierra in as many months, following a major security vulnerability that enabled access to the root superuser account with a blank password on macOS High Sierra version 10.13.1 that Apple fixed with a supplemental security update .
Following the root password vulnerability, Apple apologized in a statement and added that it was "auditing its development processes to help prevent this from happening again," but it has now happened again.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
Apple will likely want to fix this latest security vulnerability as quickly as possible, so it's possible we'll see a similar supplemental update released, or perhaps it will fast track the release of macOS High Sierra version 10.13.3. Apple did not immediately respond to our request for comment on this matter.
In the meantime, we can't think of an obvious workaround for this issue, so if you keep your App Store preferences behind lock, you'll want to keep a close eye on your Mac until further notice. If we learn of a solution, we'll share it.
We're still investigating further to confirm if macOS High Sierra versions 10.13 or 10.13.1 are affected. We'll update this article as we learn more.
Related Roundup:macOS High Sierra
Tag:Mac App Store
macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password